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Abstract 

The problem of anonymous networking when an eavesdropper observes packet timings in a commu- 
nication network is considered. The goal is to hide the identities of source-destination nodes, and paths 
of information flow in the network. One way to achieve such an anonymity is to use mixers. Mixers 
are nodes that receive packets from multiple sources and change the timing of packets, by mixing 
packets at the output links, to prevent the eavesdropper from finding sources of outgoing packets. In 
this paper, we consider two simple but fundamental scenarios: double input-single output mixer and 
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■ double input-double output mixer. For the first case, we use the information-theoretic definition of the 

00 ■ 

anonymity, based on average entropy per packet, and find an optimal mixing strategy under a strict 
^0 I latency constraint. For the second case, perfect anonymity is considered, and a maximal throughput 

I strategy with perfect anonymity is found that minimizes the average delay. 

o 



^ ■ I. Introduction 

Secure communication has become increasingly important. Privacy and anonymity consider- 
ations apply to all components of a communication network, such as contents of data packets, 
identities of source-destination nodes, and paths of information flow in the network. While a 
data packet's content can be protected by encrypting the payload of the packet, an eavesdropper 
can still detect the addresses of the source and the destination by traffic analysis. For example, 
observing the header of the packet can still reveal the identities of its corresponding source- 
destination pair. Onion Routing [JJ and Tor network [|2l are well-known solutions that provide 
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protection against both eavesdropping and traffic analysis. The basic idea is to form an overlay 
network of Tor nodes, and relay packets through several Tor nodes instead of taking the direct 
path between the source and the destination. To create a private network, links between Tor 
nodes are encrypted such that each Tor node only knows the node from which it receives a 
packet and the node to which it forwards the packet. Therefore, any node in the Tor network 
sees only two hops (the previous and next nodes) but is not aware of the whole path between the 
source and the destination. Therefore, a compromised node cannot use traffic analysis to identify 
source-destination pairs. But Tor cannot solve all anonymity problems. If an eavesdropper can 
observe the traffic in and out of some nodes, it can still correlate the incoming and outgoing 
packets of relay nodes to identify the source and the destination or, at least, discover parts of 
the route between the source and the destination. This kind of statistical analysis is known as 
timing analysis since the eavesdropper only needs packet timings. For example, in Figure [H if 
the processing delay is small, there is a high correlation between output and input processes, 
and the eavesdropper can easily identify the source of each outgoing packet. 

To provide protection against the timing analysis attack. Tor nodes need to perform an 
additional task, known as mixing, before transmitting packets on output links. A Tor node with 
mixing ability is called a Mixer. In this solution, the Mixer receives packets from multiple links, 
re-encrypts them, and changes timings of packets, by mixing (reordering) packets at the output 
links, in such a way that the eavesdropper cannot relate an outgoing packet to its corresponding 
sender. 

The original concept of mix was introduced by Chaum |[3l. The mix anonymity was improved 
by random delaying [4J (Stop-and-go MIXes), and dummy packet transmission [5J (ISDN- 
MlXes), and used for the various Internet applications such as email L6J and WWW dTj] (Crowds). 
Other proposed anonymity schemes are JAP MorphMix [19||, Mixmaster [fTOll . Mixminion [[TTIl . 
Buses [|T2|. etc. 

However, theoretical analysis of the performance of Chaum mixing is very limited. The 
information-theoretic measure of anonymity, based on Shannon's equivocation lfT3l . was used 
in [ fT4l | to evaluate the performance of a mixing strategy. The approach of [HU does not take 
into account the delay or traffic statistics; whereas, modifying packet timings to obfuscate the 
eavesdropper indeed increases the transmission latency. So, the question of interest is: what is 
the maximum achievable anonymity under a constraint on delay? 
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Characterizing the anonymity as a function of traffic load and the delay constraint has been 
considered in [fTSl. The authors in [15] have considered a mix with two input links and one 
output link, where arrivals on the input links are two poisson processes with equal rates, and 
they characterize upper and lower bounds on the maximum achievable anonymity under a strict 
delay constraint. The basic idea is that the mixer waits for some time, collects packets from two 
sources, and sends a batch containing the received packets to the output. The implicit assumption 
in ifTSl is that there is no constraint on the capacity of the output link, i.e., the batch can be 
transmitted instantaneously at the output, no matter how many packets are contained in the batch. 

The path between any source-destination pair in an anonymous network contains several nodes; 
each of which has, possibly, several input links and several output links. At each node, to perform 
routing, traffic generated by two or more sources can be merged into one outgoing stream, or the 
merged stream can be decomposed at several output links for different destinations. To expose 
the main features of mixing strategies, we focus on two fundamental cases: double input-single 
output mixer. Figure [B and double input-double output mixer. Figure [21 Compared to [15], our 
model considers cases with finite link capacities and derives optimal solutions for certain cases. 
The remainder of the paper is organized as follows. In section [III the double input-single output 
mixer is considered, and the optimal mixing strategy is found to maximize the anonymity under 
a strict latency constraint. Section [nl] is devoted to the double input-double output mixer, where 
the optimal mixing strategy is found under a constraint on packet drop rate, or transmission rate 
of dummy packets. Finally, we end the paper with some concluding remarks. 

II. DOUBLE input-Single Output Mixer 

Consider Figure \T\ where there are two incoming flows, red and blue, and one outgoing link. 
The capacity of each input link is 1 packet/time- slot, and the capacity of the output link is 2 
packets/time-slot. This model ensures that packets do not have to be dropped due to lack of 
capacity, even when the input links bring in data at maximum rate. Red and blue packets arrive 
according to i.i.d. Bernouli processes with rates A/j and A b respectively. There is an eavesdropper 
observing the incoming and outgoing packets. Assume the eavesdropper knows the source of 
each incoming packet, i.e., its color. This might be made feasible by traffic analysis if the mixer 
is the first hop of the route or, otherwise, by timing analysis of the previous hop. Given the 
source of each incoming packet, the eavesdropper aims to identify the source of each outgoing 



Fig. 1. The double input-single output mixer. The capacity of each input link is 1 packet/time slot and the capacity of the 
output link is 2 packets/time slot. 



packet, i.e., assign colors, red and blue, to the outgoing stream of packets. 

First, consider the case where we do not allow for any delay, i.e., the mixer must send packets 
out in the same slot in which they arrived. Note that this is possible, without any packet drop, 
since at most two packets arrive in each slot, and the capacity of the output link is 2 packets/slot. 
Then, the only way to confuse the eavesdropper is to send out a random permutation of received 
packets in each slot. 

By allowing a strict delay T for each packet, the mixer can do better; it can select and permute 
packets from the current slot and also from the previous slots up to T — 1 slots before. Let \E't 
denote the set of all possible mixing strategies that satisfy the strict delay constraint T. Let 
the random variable Ik denote arrivals in /c-th slot, therefore can be 0, R, B, or RB, where 
they respectively denote the cases of no arrivals, red arrival but no blue arrival, blue arrival 
but no red arrival, and both red and blue arrivals. Similarly define a random variable Ok for 
the output sequence such that Ok E {0, R, B, RB, BR} (Note that ordering of packets at the 
output matters). Next, we define anonymity of a mixing strategy 4' ^ ^r, based on the average 
conditional entropy of the output sequence given the input sequence, as follows. 

Definition 1. The anonymity of a mixing strategy ip is defined as 

1™ -T77V^-^,H{0^02■■■ON\IlI2■■■IN). 

Note that in the above definition, the numerator is the entropy of the output sequence given 
the input sequence of length N, and the denominator is the average number of red and blue 
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arrivals in slots. So, as — > oo, anonymity is the amount of uncertainty in each outgoing 
packet, bits/packet, observed by the eavesdropper. 

Remark 1. By using the Fano 's inequality, the anonymity provides a lower bound for the 
probability of error in detection incurred by the eavesdropper / f73l/ . 

We wish to find the optimal strategy if)* E that maximizes the anonymity. The case of 
T = is trivial since, in this case, the output sequence is i.i.d. as well, and therefore 

1 1 ^ 

-H{0,02---ON\hl2---lN) = -Y,H{Ok\h---h) 

k=l 
1 ^ 

k=l 

= H{Oi\h) 

= XR\BH{Oi\h = RB). 

Therefore, to maximize the anonymity, the mixer must send a random permutation of the received 
packets, in the case of both read and blue arrival, with equal probability to get H{Oi\Ii = RB) = 
1. Correspondingly, the maximum anonymity is given by 



Xr + As 

In the rest of this section, we consider the more interesting case of T = 1, where each packet 
has to be sent out in the current slot or in the next slot. By the chain rule [17], the conditional 
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entropy of the output sequence can be written as 

H{0i---0n\Ii---In) = H{Oi\h---lN) + 

H(02\h---lN,0,) + --- + 
H{0^\h---I^,Oi---ON_i). 
For the latency constraint T = 1, the right hand side of the equaUty can be simpUfied as 

H{0,\h) + H{02\Ii, h, Oi) + • • • + H{On\In-i, In, On-i). 

But 

H{Ok\Ik, h-i, Ok-i) — H{Ok\Ik, Ik-i, Ok-i, Qk-i), 

where Qk-i '■= Ik-i\Ok-i- Note that Qk-i denotes what has been left in the queue for trans- 
mission in the next slot. Noting that Ok is conditionally independent of Ik-i and Ok-i, given 
both Ik and Qk-i, the conditional entropy of the output sequence can be written as 

N 

H{0^ ■ ■ ■ O^lh ...I^) = J2 HiOklh, Qk-i), 

k=l 

where we defined the initial condition as Qo = 0- Therefore, maximizing the average entropy 
of the output sequence is equivalent to 

1 ^ 

max jirn^ — J^^;,,,^ [H{Ok\Ik,qk-i)], 

k=l 

where g^-i e {0, R, B, RB} denotes a realization of the random variable Qk-i- This can be 
viewed as an average reward maximization problem where, at each slot k, the state of the system 
Xk is the queue at the end of the previous slot, i.e., Qk-i, and the reward of action Uk in state 

Xk{= Qk-i) is c(xfc, Uk) = H{Ok\Ik, Qk-i)- Roughly speaking, the action Uk is to randomly select 
some packets from Ik and qk-i, and send the permutation of the selected packets to the output. 
Let w denote the maximum value of the above average entropy maximization problem, then, by 
definition, 

+ Xb 

and the optimal mixing strategy ^* is the one that chooses the corresponding optimal policy for 
the average entropy maximization problem. In order to solve the problem, next we identify the 
possible actions for different states which will allow us to define the reward function in more 
detail and provide an explicit solution. 
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A. Set of possible actions and corresponding rewards for different states 

There is a set of possible actions for each state depending on different arrival types. In the 
following, we identify the set of actions and their corresponding rewards for each case. 

1) Qk-i = 

(i) Ik — $: In this case, obviously, there will be no transmission at the output link and 
the queue will remain empty as well, i.e., Ofc = and Qk = 0. The corresponding 
entropy is H{Ok\Ik = 0, Qk-i = 0) = 0. 

(ii) Ik = R: Two options are possible; the mixer can queue the arrived packet, with 
probability cc^, or send the packet in the current slot, with probability 1 — ak. No 
matter what the mixer does, the entropy in this slot H{Ok\Ik — R,Qk-\ = 0) = 0. 
Correspondingly, the queue is updated as Qk — R, with probability of ak, or Qk — 0, 
with probability of 1 — 0;^. 

(iii) Ik = B: This case is similar to the previous case except that we use Pk instead of 
ak. Therefore, Qk = B, with probability 13k, or Qk = 0, with probability 1 — I3k, and 
H{Ok\Ik^B,Qk-i^^)^Q. 

(iv) Ik — RB: The mixer has four options; it can queue both packets (with probability 
1 — Sk), send both out (with probability Sk{'^ — yk)), keep only R and send B out (with 
probability SkVki^ — Pk)), or keep only B and send R out (with probability SkVkPk)- 
Note that the parameters Sk, Vk, and pk have been used to characterize the probabilities. 
Intuitively, Sk is the probability that a transmission at the output link happens at all, 
Uk is the probability of sending only one packet out given a transmission must happen, 
and Pk is the probability of sending R out given that only one packet is transmitted 
at the output. Accordingly, 

H{Ok\Ik = RB, Qk-i = 0) = sfe {ykHiPk) + l-yk), 
where H is the binary entropy function given by 

n{p) = -piog(p) - (1 -p) iog(i -p) 

for < p < 1. 

2) Qk-i — R 
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(i) /fe = 0: The mixer has to send the content of the queue to the output, therefore — R, 
and obviously, H{Ok\Ik = 0, Qk-i = R) = and Qk = 0. 

(ii) Ik = R: The mixer can queue the recent R, with probability 7^, and send Qk-i to the 
output, or can send both Qk-i and the recent arrival to the output, with probability 
1 — 7fc. Therefore, Qk — R (Ok — R) with probability 7^, or Qfe = (Ok — RR) with 
probability 1 — 7^. The corresponding entropy will be zero, i.e., H(Ok\Ik — R, Qk-i — 
R) = 0. 

(iii) Ik — B: Again mixer has two options; it can send a random permutation of R and B 
to the output, i.e., Qk = 0, with probability a^, or it can queue the B and send only 
the R out, i.e., Qk = B, with probability l — ak- The entropy is H(Ok\Ik = B, Qk-i — 
R) = Ofc. 

(iv) Ik — RB: The mixer has three options; it can queue both arrivals, i.e., Qk — RB, 
with probability 1 — tk, keep only the red arrival in the queue, i.e., Qk — R, with 
probability ^^(1 — dk), or keep only the blue arrival in the queue, i.e., Qk — B, with 
probability tkdk- Correspondingly, 

tkdk ; Ok — RR 

tk{l-dk)/2 ■,Ok^RB 
tk{l-dk)/2 ]Ok^BR. 



P{Ok ^Ok)^{ 



and 



H{Ok\Ik = RB, Qk-i = R) = tk {n{dk) + 1-4) 



3) Qk-i = B 

Since this case is similar to the previous case, the details are omitted for brevity. 

(i) Ik = Obviously, H{Ok\Ik = 0, Qk-i = B) = 0, and Qk = 0. 

(ii) Ik — B: H{Ok\Ik — B, Qk-i — B) — 0. Options are Qk — B, with probability 5k, or 
Qk — 0, with probability 1 — Sk. 

(iii) Ik — R: II{Ok\Ik — R, Qk-i — B) —hk- Options are Qk — R, with probability 1 — bk, 
or Qk — 0> with probability 6^. 

(iv) Ik = RB: The mixer can keep both arrivals in the queue, i.e., Qk = RB, with 
probability l — Zk, keep only the red arrival in the queue, i.e., Q^ = R, with probability 
ZkVk, or keep only the blue arrival in the queue, i.e., Qk = B, with probability Zk{l — 
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Tfe). The entropy is 

H{Ou\h = RB, Qk-i = B)=Zk (Hin) + 1 - rfe) . 

4) Qk-i = RB 

The mixer has to send the contents of the queue to the output, i.e.. Ok — RB or BR with 
equal probabilities, and queue all the recent arrivals, i.e., Qk = h- The entropy is simply 

H{Ok\Ik,Qk-i = RB) = l. 
Recall that the reward function is 

C{xk,Uk) = H{Ok\Ik,(lk~i) = Ej^ [H{Ok\ik,(lk-i)\ 

where ik denotes a realization of Ik- Therefore, the reward function, and queue updates, for each 
state are the following. 

1) Qk-i = 0: 

The reward function is given by 

C(0, Ufc) = XuXbSu {yk'H{pk) + l- yk) 
and the queue is updated as 

Xr{i - XB)oik + XR^BSkUkO- - Pk) ;q^R 
As(l - XnjPk + XRXsSkVkPk B 
XuXsil-Sk) ■q = RB 

. ;g = 

where we used the notation " " for the probability of having an empty queue, since 

we will not need the explicit expression of this probability, although, it can be, obviously, 

derived from the other three probabilities. 

2) Qk-i — R' 
The reward function is given by 

C{R, Uk) = Xb{1 - XR)ak + XuXetk {H{dk) + 1-4) 
and the queue is updated as 



P{Qk = q\Qk-i = ^,Uk) = < 



P{Qk = q\Qk-i = R,Uk) = < 



Xr{1 - As)7fc + XRXstkil - dk) 

Ab(1 — Xr){1 — Uk) + XRXstkdk 
XrXb{1 — tk) 



q^R 
q = B 
q = RB 
g = 
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3) Qk-i = B: 

The reward function is given by 

C{B, Uk) = Xr{1 - XB)hk + XnXBZk {H{rk) + 1 - r^) 
and the queue is updated as 

Ar(1 - Ab)(1 - hk) + XuXsrhZk R 
Xsil - XR)Sk + XuXsZhil - Tk) ]q^B 
XrXb{^ — Zk) 



P{Qk = q\Qk-i = B,Uk) = < 



■,q^RB 



4) Qk-i = RB: 

The reward function is given by 

and the queue is updated as 



C{RB,Uk)^l 



P{Qk = q\Qk-i = RB,Uk) = < 



Xr{1- 


Xb) 


;q 


^R 


Xb{1- 


Xr) 


;q 


^B 


XrXb 




;q 


^RB 






;q 


= 



B. Optimal stationary mixing strategy 

The following Theorem states one of our main results. 

Theorem 1. For the double input-single output mixer, the optimal mixing strategy is the following. 
At each time k, given Qk-i and Ik, if 

1) Qk-i = 

. 4 = 0, R, B: Qfc = 4, Ok = 0. 

• Ik — RB: send R out with probability p* or B with probability 1 — p*, Qk — Ik\Ok- 

2) Qk-i — R 

• h = ^, R: Qk = Ik, Ok = Qk-i- 

• Ik = B: transmit a random permutation of R and B, Qk = 0. 

• 4 = RB: transmit RR with probability d*, or transmit a random permutation of R 
and B with probability 1 — d*, Qk — Ik\Ok- 
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3) Qk-i = B 

• Ik = ^, B: Qk = Ik, Ok = Qk-i- 

• Ik = R: transmit a random permutation of R and B, Qfc = 0. 

• Ik = RB: transmit BB with probability r*, or transmit a random permutation of R 
and B with probability 1 — r*, = Ik\Ok, 

where probabilities p*, d*, and r* depend on arrival rates Xr and Xb- 

In the special case Xr = Xb, p* = |, (i* = |, and r* = |. 

Proof of The orem\^ Having formally defined the reward function and the dynamics of the 
system in subsection III-Al we use the following well-known result to solve the average reward 
maximization problem ifTSl . 

Lemma 1. Suppose there exists a constant w and a bounded function 0, unique up to an additive 
constant, satisfying the following optimality equation 

w + = max {C{x, u) + E[(I){xi)\xq = x,uo = u} 

u 

Then w is the maximal average-reward and the optimal stationary policy is the one that chooses 
the optimizing u. 

Since (p is unique up to an additive constant, without loss of generality, assume 0(0) = 0. 
Then, for x = 0, the optimality equation can be written as 

w = max {XrXbs {yH{p) + l-y) 

+ [Xr{1 - XB)a + XnXBsyil - p)](j){R) 
+ [Xb{1 ~ Xr)P + XBXBsyp](PiB) 
+ [XbXb{1 - sMRB)} . 

Obviously, a = 1 and P = I maximize the right hand side if (f){R) and 0(5) are nonnegative. 
We will later see that 0(-R) and 0(5) are indeed nonnegative. Therefore, the right hand side of 
the optimality equation can be written as 

XrXbs [y {n{p) - 1 + (1 - p)0(i?) + p<P{B)) + 1 - (PiRB)] 
+Xr{1 - Xb)<P{R) + Xb{1 - Xr)<P{B) + XrXb<P{RB). 
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First, consider the term H{p) — 1 + (1 — p)(j){R) +p(j){B). This term is maximized by choosing 
We will later show that 

nip*) - 1 + (1 +p*<P{B) > 0, (2) 

and therefore y* = 1. Furthermore, for y* = 1, we will see that the term inside the brackets is 
always nonnegative, i.e., 

nip*) + (1 - p*)(/>iR) + p*(t>iB) - <t>iRB) > 0, (3) 

and therefore s* — 1. Finally, w is given by 

w = ArAbH(p*) + Ar(1 - ABp*)0(i?) 

+ Ab(1-A^(1-p*))0(S). (4) 

Next, consider the optimality equation for a; = i?. It can be written as 

+ = max{As(l - AR)a + AiiAfit ('^^(d) + 1 - d) 

+[Ar(1 - \b)i + A^Ab(1 - 
+[Ab(1 - Ar)(1 - a) + ARABid]0(S) 
+A^A^(l-t)0(i?5)}. 

Similar to the argument for x = 0, 7* = 1, if 0(-R) > 0, and a* = 1 if 0(-B) < 1. Furthermore, 
taking the derivative respect to d, setting it to zero, and solving it for d* yields 

d* = ^ (5\ 

1 + 2i+'^(-R)-<^(-B) ■ 

Finally, r = 1 if 

nid*) + 1 - + (1 - d*)(t)iR) + d*^iB) - (PiRB) > 0, (6) 

and the optimality condition is simplified to 

w + (f)iR) = Ab(1 - Ar) + ArAb (7Y(d*) + 1 - d*) 
+[XRil-XB) + XRXBil-d*)]ci>iR) 
+XRXBd*4>iB) (7) 
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Next, consider the optimality equation for x = B 

w + (j){B) = max{Xji{l - XB)b + XrXbz {n{r) + 1 - r) 

5,r,z,b 

+ [Xb{1 - Xjt)6 + XjiXszil - r)]<p{B) 
+ [Xnil - Ab)(1 -b) + XRXBzr](l){R) 
+XRXnil-z)cj){RB)} 

In parallel with the argument for x = R, S* = lif 4>{B) > 0, and 6* = 1 if < 1. Moreover, 

2* = 1 if 

n{r*) + 1 - r* + (1 - r*)(j){B) + r*(j){R) - (f){RB) > (8) 



where 

1 



1 + 2i+'^(^)-«^(^) ■ 

The optimality condition is simplified to 



(9) 



w + ^{B) = XR{l~XB) + XRXB{n{r*) + l-r*) 
+ [XB{l-XR) + XRXB{l-r*MB) 
+XnXBr*<l){R) (10) 
Finally, the optimality equation for x = RB is given by 

w + (j){RB) = 1 + Xr{1 - XB)(t){R) 

+Ab(1 - Ar)0(S) + XnXB(l)iRB) (11) 

Therefore, we need to solve equations dH), (|7]), and (flOl) to find w, 0(-R), and (p{B). Then, (fTTI) 
can be used to find (f)(RB). Eventually, what remains to be shown is that < 4>{R), 4>{B) < 1, 
and, in addition, 0(-R), and (p^RB) satisfy inequalities ©, ©, ©, and ([8]). 

First, consider the special case of A/? = A^ = A. By symmetry, 0(-R) = 0(5) which yields 
p* = 1/2 and d* = r* = 1/3. Then, by solving equations ^ and ([7]), we have 

and 



A^ 



-A2 + A + 



- [-A2(log3 - 1) + 2(log3 - 2) A + 3] 
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0.2 0.4 0.6 0.8 1 0.2 0.4 0.6 0.8 1 



(a) Anonymity (b) <j}{R) 

Fig. 3. Anonymity and <^(i?) for the case of \r — Xb ~ X. 



Then, the anonymity is A'^* = w/2\, and it is easy to check that the solutions satisfy all the 
inequalities. Figures |3(a)| and |3(b)| show the anonymity A'^* and (p{R) as functions of A. 



Next, consider the general case with, probably, unequal arrival rates. We prove that the 
solutions indeed exist and they satisfy the required conditions. Using dH) to replace w in ^ and 
([H) yields 

cf^iR) = XB[l-ct>{B){l-\n)] + \nXBg{0 (12) 
cf>{B) = A^[l-0(i?)(l-AB)] + A^AB/(O (13) 



where 



and 



9(0 = (d* - j9*)(-0 + Hid*) - Hip*) - d\ 
fiO = {r* + p*)^ + Hir*) - Hip*) - r* - 



Therefore, the optimal probabilities can be expressed as functions of ^ by 

1 



p 
d* 



l + 2«' 
1 

1 + 2i+«^ 
1 
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Lemma 2. The function g{^) is an increasing function of ^ and /(^) is a decreasing function 
of C, ( see Appendix for the proof). 

For any pair {(p{R), (p{B)) chosen from [0, 1] x [0, 1], — 1 < ,^ < 1, and therefore, by Lemma 
[2l functions / and g can be bounded from below and above by 

9{-l)<9{0<9i^), 

and 

/(I) </(0 </(-!)■ 

But it is easy to check that 

g{l) = /(-I) = log(5/3) - 1, gi-1) = /(I) = 1 - log 3, 

and therefore, 

-i</(0,^?(0<o. 

Consequently, the right-hand sides of (fT2l) and (fT3l) form a continuous mapping from [0, 1] x [0, 1] 
to [0, 1] X [0, 1], and therefore, by the Brouwer fixed point theorem ( lfT9l . p. 72), the system of 
nonlinear equations, ([HI), ^3, has a solution {(f){R) , (j){B)) G [0, 1] x [0, 1]. 

Next, we show that the solutions indeed satisfy the inequalities. First, we prove that Q holds. 
Define 

= n{p*)-p*i + <p{R). 

First, consider the case that — 1 < < 0, then 

^A'n{p*)-p*i) = p*'iog^—^-p*-p*'^ 

at, p 
= -P* < 0. 

Hence, 

V'i(O>^i(o) = i + 0(i?)>i. 

For the case that < ,^ < 1, rewrite tpi{0 the following 

MO = npi + a-pi^+<piB). 
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Then, 



and hence. 

Therefore, for -1 < ^ < 1, > 1, and © holds. 

Note that from ([TT]). we have 

^RB) = (14) 

i — ArAb 

and since Q holds, we have 

(piRB) < 1, 

and consequently ([3]) will be satisfied as well. 

To show Q, note that 0(-R) + 1 — (j){RB) > 0, and therefore, it suffices to prove that 

^2(0 = H{d*)-d* -d*(j){R) + d*(f){B) 

= n{d*)-d*^-d* 

is nonnegative. But '02(0 a decreasing function since 

= d*'log^--^-d*'^-d* -d*' 

dt, d 

= d*'{i + i)~d*'i-d* -d*' 

= -d* <0 

So ^2(0 > ^2(1) = ^(1/5) - 2/5 = logS - 2 > 0, and consequently © follows. © is also 
proved by a similar argument. Define a function ^3(0 as 

^3(^) = n{r*) -r* -r*(j){B) +r*(f){R) 

= n{r*)+r*i-r*. 

Then, ^^3(0 is an increasing function since 

:^^3 = r* > 0. 
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Thus, 

= 7^(1/5) -2/5 
= log 5 - 2 > 0, 

and therefore ([8]) follows. This concludes the proof of Theorem [U ■ 
C. Numerical results 

Equations dH), ([7]), and (flOl) form a system of nonlinear equations which can be solved 
numerically, for different values of Xr and Ab, by using the following algorithm. 

Algorithm 1 

1: p*, ^ 1/2, d* ^ 1/3, r* ^ 1/3 

2: i <- 

3: repeat 

4: Z ^ (i + 1) 

5: w, (j){R), (f){B) <= solve ©, ©, and (HO]) 

6: p - , d*, r* <= calculate ©, ®, and dll) 

7: until \p* -Pi^il < e, |d* - < e, and \r* - r*_J < e 



Note that in the step 5 of the algorithm, we solve a linear system of equations (p*, d*, and r* 
are replaced with their numerical values). Figure |4] shows the maximum anonymity, found by 
running the algorithm, for different arrival rates. The probabilities p*, d*, and r* of the optimal 
mixing strategy have been evaluated in figure [5] for different arrival rates and A^. 

Remark 2. The stationary policy does not exist for Xji = Xb = I since as Xr ^ 1 and Xb ^ 1, 
(f){RB) — oo (see ff7?l)). This makes sense since, in this case, if we start with initial condition 
Qo = ^t^d use the strategy specified in TheoremUl we get an anonymity of A^* = log(3)/2; 
whereas if the initial condition is Qo = RB, the only possible strategy will be to transmit the 
contents of the queue, and queue the arrived RB in each time slot. This yields an anonymity of 
1/2 bit/packet. Therefore, the optimal strategy depends on the initial condition for A/? = A^ = 1. 
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Fig. 4. Anonymity for different values of and As. 



Remark 3. Note that the mixing strategy does not change the sequence numbers of packets from 
the same flow, and therefore it is compatible with network protocols such as TCP. 

III. Double input-double output mixer 

Figure [2] shows the double input-double output mixer. The capacity of each link is 1 packet/time 
slot. Compared to the mixer with one output link, i.e., Figure [B the flows of outgoing packets 
are separate. Note that, in this case, the eavesdropper does not need to detect the sender for each 
outgoing packet; instead, it aims to find the corresponding source of each flow, by observing 
a sequence of outgoing packets with enough length. Without loss of generality, assume that 
Aj? > As (the singular case of = will be discussed later). Then, by calculating the long- 
run average rates of outgoing flows, the eavesdropper can identify the corresponding source- 
destination pairs. Therefore, it is not possible to get any anonymity without dropping some 
packets from the red flow. Hence, the maximum achievable throughput for each flow cannot be 
more than min{A/i;, Ab}(= A^), and, at least, the packets of the flow with higher rate, which 
is the red flow here, must be dropped at an average rate of Xr — Xb- Note that, in contrast 
with the double input-single output mixer, a strict delay T for each packet does not make sense, 
since it might happen that there is a blue arrival but there are no red arrivals for a time duration 
of T, in which case transmitting the blue packet will immediately reveals the corresponding 
destination of the blue source. Therefore, instead, we consider the average delay as the QoS 
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(c) r* 

Fig. 5. Probabilities p* , d* , and r* for different arrival rates Xr and As- 

metric. We can model the mixer with two queues for red and blue arrivals. We only consider 
strategies that achieve maximum throughput with perfect anonymity. Perfect anonymity means 
that, by observing the output sequence, the eavesdropper cannot obtain any information and each 
outgoing flow is equally likely to belong to one of sources. Therefore, red and blue packets must 
be transmitted simultaneously on output links, i.e., red packets are only transmitted when there 
is a blue packet in the second queue, and similarly, the blue packets are served when there is a 
red packet in the first queue. Therefore, the question of interest is: how to drop red packets at 
an average rate of \r — \b to minimize the average delay? 

Since the average delay is proportional to the average queue length by Little's law, we can 
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Fig. 6. Markov chain representing the double input-double output mixer 



equivalently consider the problem of minimizing the mean queue length. This problem can 
be posed as an infinite-state Markov decision problem with unbounded cost. It follows from 
checking standard conditions, e.g., GOll . [|2T]| . that a stationary optimal policy exists for our 
problem, however, the average-cost optimality equation may not hold. Therefore, we follow a 
different approach. 

We note that when a red packet and a blue packet are both available, to minimize queue length, 
it is best to transmit them immediately. Therefore, when one of the queues (blue or red) hits 
zero, from that point onwards, only one of the queues can be non-empty. Thus in steady-state, 
we can assume that one queue can be non-empty. As a result, we have the Markov decision 
process described next. Figure [6] shows the state transition diagram, where (z,j) represents the 
state of the system where there are i packets in the red queue and j packets in the blue queue. 
The transition probabilities are given by 

P[{0,y)\{0,y)] = XrXb + {1-Xr){1-Xb) 
P[{0,y-l)my)] = Xnil-Xs) 
P[(0,y + l)|(0,y)] = Xb{1-Xr), 

and 

P[(x,0)|(x,0)] = XrXb + {I - XR)il - Xb) + Xr{1 - Xb)5, 

P[{x-l,0)\{x,0)] = Xb{1-Xr) 

P[(x+l,0)|(a;,0)] = Afi(l-AB)(l-4), 

where 6^ denotes probability of dropping the red packet in state (x, 0), if there is a red arrival 
but no blue arrival. Note that stability of the system (finiteness of delay) implies that the red 
packets must be dropped at an average rate of Xr — Xr- So our problem is to determine 5x for 
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Fig. 7. The optimal tliresliold to minimize the average delay 

each X to minimize the mean queue length. We will show that the optimal policy is a threshold 
policy, which is defined below. 

Definition 2. A threshold policy, with threshold m, is a policy that has the following properties: 
(5a; = for all < X < m — 1, and 6m = 1, where m is a nonnegative integer number. 

The following theorem presents the main result regarding the optimal strategy. 

Theorem 2. For the double input-double output mixer, the threshold policy is optimal, in the 
sense that it minimizes the average delay among all maximum throughput policies with perfect 
anonymity. Moreover, the threshold is given by 



In other words, no buffer is needed for \r > j:^, but, as rates get closer, for Xb < Xr < 
Yff^, a buffer of size m* for the red flow is needed. The optimal threshold m* is depicted in 
Figure |71 Note that the singular case of A/? = = A (p = 1) is not stable. By allowing a small 
drop rate of eA for each flow, where < e ^ 1, one buffer for each flow can be considered, 
and the thresholds and the delay can be expressed as functions of e. 

Proof of Theorem \2\- The steady state distribution for the Markov chain of Figure [6] is 




(15) 
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given by 



where 



and 



7ro,o 



= 7ro,oP^, y = 1, 2, 



x-l 



i=Q 



OD X—1 



x=l i=0 



Xb{1-\ 



R 



" Afl(l-AB)- 

Recall that, by assumption, Xr> Xb, and therefore < p < 1. The average queue length is 



7ro,o 



x=l 



P 



x-l 



Note that for any nonnegative integer j, and for fixed values of 5jS, i 7^ j, L is a linear fractional 
function of Sj. More formally, 

Aj + (1 - S/)D, 



L{6,) 



A' + {l-Sj)B: 



1 1 



where 



j x-l 



A', 



= A+E^>''n(i-*<). 



p 
p 



x=l 1=0 

j x-l 



(1 - py 



^,x-p-n(i-5,), 



x=l 



B' 



P> 



00 x+j 
x=l i=j+l 



and 



+1 



z=l 



Therefore, dL/d5j is either positive or negative, independent of 5j, and consequently, the optimal 
5j to minimize L is either or 1, i.e., 5* e {0, 1} for all j. But, all of the 5jS cannot be zero. 
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Otherwise the system will not be stable. Define m to be the smallest j such that 6* = 1. Then 
5a; = for all < x < m — 1, and 5m = 1 which yields a threshold policy with threshold m. 
Therefore the threshold policy is the optimal policy. 

Next, we find the optimal threshold m*. The stationary distribution of a threshold policy with 
threshold m is given by 

TTo.y = vro,oP^, y = l,2,--- 

7i"x,o = 'n-Qflil/pT, X = 1,2,- ■ ■ ,m 

where 7ro,o = (1 — p)p™- Therefore, tt^.o = ^ ~ and the average packet-drop rate, Pdrop, is 
given by 

Pdrop = 7rm,oA_R(l — \b) = A/j — Afi 

which is independent of the threshold m. The average queue length is given by 

oo m 

L{m) = yno^y + ^ xvr^. o 

y=l x=0 

= (2p-+i+m(l-p)-p)/(l-p). (16) 

Note that L(m), as a continuous function of m, is strictly convex over m E [0, oo) for any fixed 
< p < 1; therefore, it has a unique minimizer m* which is either zero or the solution of 
1^ = 0. Since we seek the smallest integer- valued m*, the convexity implies that m* is zero if 

1(0) < 1(1), 

or it's a positive integer m* satisfying 

L(m*) < L{m* - 1), 

and 

L(m*) < L(m* + 1). 
Then by using (fT6l) . it follows that m* = if p < |, and for p > |, it satisfies 

2p"^* > 1, 

and 

2p'"*+i < 1, 
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which yields 



This concludes the proof. ■ 

Remark 4. Instead of dropping the packets, the mixer can send dummy packets, at an average 
rate of Xr — Xb, as follows. In the optimal threshold strategy, if a red packet arrives when the 
red queue is full and there are no blue packets in the blue queue, a red packet is sent out along 
with a dummy packet on the other link, and the received red packet is accepted to the queue. 



The definition of anonymity and the optimal mixing strategy for a router in an anonymous 
network depend on its functionality. In the case of a double input- single output mixer, an 
eavesdropper knows the next hop of every packet but the router attempts to hide the identity 
of the packet at the output link so as to make it harder for the eavesdropper to follow the path 
of a flow further downstream. On the other hand, when there are two inputs, two outputs and 
only two flows, even revealing the identity of one packet at the output compromises that portion 
of both flow's route. For the first case, the optimal mixing strategy was found to achieve the 
maximum anonymity under a per-packet latency constraint, and for the second case, the maximum 
throughput strategy with perfect anonymity that achieves minimum average delay was found. 
Our results in this paper represent a first attempt at theoretically characterizing optimal mixing 
strategies in two fundamental cases. Further research is needed to find optimal mixing strategies 
under more general constraints or for the multiple input-multiple output mixer. 



IV. Conclusions 



Appendix A 




but 



_d_ 

dd* 



Hid*) = log 



1 - d* 
d* 



1 + e 



and 



A 

dp 



n{p*) = log 



i-p* 

p* 
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therefore 

g'iO = if - d*) 

which is always nonnegative for all values of ^. Similarly for f{^), we have 

no = {r* + Pi + ip*' + r*')^ + r*'-^n{r*) - p'^' ^n{p*) - r*' - I 

ar* dp* 



but 



and, as we saw. 



therefore 



d 1 —r* 

— H(r*)=log— ^ = l-e 

dr* r* 



no = r-+p--l 



1 + 21-5 1 + 25 
2« 1 



2« + 2 1 + 2? 



1 



2^ ^ 

- 1 + 25 + 1 + 25 ^ 

= 0. (17) 
Hence, /(^) is a decreasing function. ■ 
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